[Zope] RE: What method do I use to check access?

Jay, Dylan djay@lucent.com
Wed, 26 May 1999 17:19:03 +1000


> -----Original Message-----
> From: Michel Pelletier [mailto:michel@digicool.com]
> Sent: Thursday, May 13, 1999 15:51
> To: Jay, Dylan; 'Martijn Pieters'; 'Jason Spisak'; zope@zope.org
> Subject: RE: [Zope] RE: What method do I use to check access?
> 
> > I want a method such that 
> > <!--#if "AUTHENTICATED_USER.hasPermission('View',myDoc)"-->
> > or something similar.
> > 
> 
> I've never seen or used anything like this,  so perhaps you 
> may want to
> try to refactor your problem, otherwise:
> 
> Users don't have permissions, Users have roles.  Using the security
> screen in the managment interface, you map which roles have which
> permissions, and when you create Users, you give them roles.  If your
> user is in a Role which has the 'View' permission associated with it,
> then you don't need to do the #if check.  I think maybe what your
> looking for is "Do any of my User's *Roles* map to the permission x?".
> (Not using 'View' as an example because anonymous maps to 'View' by
> default)
> 
> This would require a bit of tinkering, but it could be done with
> AUTHENTICATED_USER.getRoles() and rolesOfPermission(x).  You may also
> want to talk a look at AccessControl/Roles.py, there are 
> several methods
> defined in there to exampine roles and permissions, like
> permissionsOfRole (the inverse of rolesOfPermision) and
> acquiredRolesAreUsedBy.

I've looked at rolesOfPermission etc and they don't seem to give what I want
in that they
don't recursivly check parent permissions if permissions are aquired. What I
really want is an easy way conditionally include something based on weather
the user can view it (or maybe another permission). I don't want to have to
hard code the roles as this is duplicating code.
What I want is
<!--#if "AUTHENTICATED_USER.hasPermission(SomeObject, 'View')"-->
 <a href="<!--#var "SomeObject.absolute_url()"-->">Goto SomeObject</a>
<!--#/if-->

The link will only appear if the user can actually go to it. This must be
possible as somewhere in the code this validation must happen already. I've
tried looking but really need some help.